fix(hal): Make the ECDSA countermeasure dynamically applicable

This commit makes the ECDSA countermeasure dynamically applicable
    across different revisions of the ESP32H2 SoC.

components/esp_hw_support/port/esp32h2/Kconfig.hw_support

@@ -15,8 +15,6 @@ choice ESP32H2_REV_MIN
         bool "Rev v0.1 (ECO1)"
     config ESP32H2_REV_MIN_2
         bool "Rev v0.2 (ECO2)"
-    config ESP32H2_REV_MIN_102
-        bool "Rev v1.2 (ECO5)"
 endchoice
 
 config ESP32H2_REV_MIN_FULL
@@ -24,7 +22,6 @@ config ESP32H2_REV_MIN_FULL
     default 0 if ESP32H2_REV_MIN_0
     default 1 if ESP32H2_REV_MIN_1
     default 2 if ESP32H2_REV_MIN_2
-    default 102 if ESP32H2_REV_MIN_102
 
 config ESP_REV_MIN_FULL
     int
@@ -34,7 +31,7 @@ config ESP_REV_MIN_FULL
     # MAX Revision
     #
 
-    comment "Maximum Supported ESP32-H2 Revision (Rev v1.99)"
+    comment "Maximum Supported ESP32-H2 Revision (Rev v0.99)"
     # Maximum revision that IDF supports.
     # It can not be changed by user.
     # Only Espressif can change it when a new version will be supported in IDF.

components/hal/Kconfig

@@ -105,7 +105,7 @@ menu "Hardware Abstraction Layer (HAL) and Low Level (LL)"
 
     config HAL_ECDSA_GEN_SIG_CM
         bool "Enable countermeasure for ECDSA signature generation"
-        depends on IDF_TARGET_ESP32H2 && ESP32H2_REV_MIN_FULL < 102
+        depends on IDF_TARGET_ESP32H2
         default n
         help
             Enable this option to apply the countermeasure for ECDSA signature operation

components/hal/ecdsa_hal.c

@@ -12,6 +12,7 @@
 #if CONFIG_HAL_ECDSA_GEN_SIG_CM
 #include "esp_fault.h"
 #include "esp_random.h"
+#include "soc/chip_revision.h"
 #endif
 
 #if CONFIG_IDF_TARGET_ESP32C5
@@ -144,7 +145,11 @@ void ecdsa_hal_gen_signature(ecdsa_hal_config_t *conf, const uint8_t *hash,
     configure_ecdsa_periph(conf);
 
 #if CONFIG_HAL_ECDSA_GEN_SIG_CM
-    ecdsa_hal_gen_signature_with_countermeasure(hash, r_out, s_out, len);
+    if (!ESP_CHIP_REV_ABOVE(efuse_hal_chip_revision(), 102)) {
+        ecdsa_hal_gen_signature_with_countermeasure(hash, r_out, s_out, len);
+    } else {
+        ecdsa_hal_gen_signature_inner(hash, r_out, s_out, len);
+    }
 #else /* CONFIG_HAL_ECDSA_GEN_SIG_CM */
     ecdsa_hal_gen_signature_inner(hash, r_out, s_out, len);
 #endif /* !CONFIG_HAL_ECDSA_GEN_SIG_CM */

components/hal/test_apps/crypto/main/CMakeLists.txt

@@ -69,7 +69,7 @@ endif()
 
 idf_component_register(SRCS ${srcs}
                        PRIV_REQUIRES efuse mbedtls esp_mm bootloader_support
-                       REQUIRES test_utils unity
+                       REQUIRES test_utils unity ccomp_timer
                        WHOLE_ARCHIVE
                        PRIV_INCLUDE_DIRS "${priv_include_dirs}"
                        )

components/hal/test_apps/crypto/main/ecc/test_ecc.c

@@ -6,7 +6,9 @@
 
 #include <stdio.h>
 #include <stdbool.h>
+#include <sys/param.h>
 #include <string.h>
+
 #include "sdkconfig.h"
 #include "esp_private/esp_crypto_lock_internal.h"
 #include "esp_log.h"
@@ -17,6 +19,7 @@
 
 #include "memory_checks.h"
 #include "unity_fixture.h"
+#include "ccomp_timer.h"
 
 #define _DEBUG_                             0
 #define SOC_ECC_SUPPORT_POINT_MULT          1

components/hal/test_apps/crypto/main/idf_component.yml

@@ -0,0 +1,17 @@
+## IDF Component Manager Manifest File
+dependencies:
+  ## Required IDF version
+  idf:
+    version: '>=4.1.0'
+  # # Put list of dependencies here
+  # # For components maintained by Espressif:
+  # component: "~1.0.0"
+  # # For 3rd party components:
+  # username/component: ">=1.0.0,<2.0.0"
+  # username2/component2:
+  #   version: "~1.0.0"
+  #   # For transient dependencies `public` flag can be set.
+  #   # `public` flag doesn't have an effect dependencies of the `main` component.
+  #   # All dependencies of `main` are public by default.
+  #   public: true
+  espressif/ccomp_timer: '*'

components/mbedtls/port/ecdsa/ecdsa_alt.c

@@ -25,6 +25,8 @@
 
 #if CONFIG_MBEDTLS_HARDWARE_ECDSA_SIGN_CONSTANT_TIME_CM
 #include "esp_timer.h"
+#include "soc/chip_revision.h"
+#include "hal/efuse_hal.h"
 
 #if CONFIG_ESP_CRYPTO_DPA_PROTECTION_LEVEL_HIGH
 /*
@@ -360,9 +362,11 @@ static int esp_ecdsa_sign(mbedtls_ecp_group *grp, mbedtls_mpi* r, mbedtls_mpi* s
 #endif
         ecdsa_hal_gen_signature(&conf, sha_le, r_le, s_le, len);
 #if CONFIG_MBEDTLS_HARDWARE_ECDSA_SIGN_CONSTANT_TIME_CM
-        sig_time = esp_timer_get_time() - sig_time;
+        if (!ESP_CHIP_REV_ABOVE(efuse_hal_chip_revision(), 102)) {
-        if (sig_time < ECDSA_CM_FIXED_SIG_TIME) {
+            sig_time = esp_timer_get_time() - sig_time;
-            esp_rom_delay_us(ECDSA_CM_FIXED_SIG_TIME - sig_time);
+            if (sig_time < ECDSA_CM_FIXED_SIG_TIME) {
+                esp_rom_delay_us(ECDSA_CM_FIXED_SIG_TIME - sig_time);
+            }
         }
 #endif
         process_again = !ecdsa_hal_get_operation_result()